Re: finding which rule

[waldo kitty <wkitty42 () windstream net>]

On 7/25/2014 10:13 AM, Richard Smollett wrote:
> Yes. The file indicated in the snort.conf file is the empty one. I used #locate
> to to see if there were any others, and there was one in my source package that
> was loaded with rules. I've moved that one to where the snort.conf file says it
> should be. Now I guess it's just a question of finding the correct rule and
> grooming it. I guess the only question from here is... how did snort have
> awareness of the rule if it wasn't where snort was configured to look for it?

how did snort know? because three digit GIDs are all coded in the binary 
modules... the rules file for them does not have to exist but if it does, it is 
easier to enable/disable the rules as well as a few other options with them...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!